Re: postfix-tls error
On Fri, Aug 04, 2017 at 12:31:53PM +0530, hyndavirap...@bel.co.in wrote: > >> Can you help me to solve this problem > > > > Not without the requested logging, and copy of the server and CA > > certificates. > TLS logging is as below, > Aug 4 11:52:29 AHQ postfix/smtp[11652]: 201.123.1.4[201.123.1.4]:25: > certificate verification depth=1 verify=1 Your nexthop domain is "201.123.1.4" what is the verbatim entry in the transport table that makes it so? > Aug 4 11:52:29 AHQ postfix/smtp[11652]: 201.123.1.4[201.123.1.4]:25: > subject_CN=1CorpHQ/emailaddress=1corphq_smtp_ad...@tcs.mil.in, The subject CN is: subject_CN=1CorpHQ/emailaddress=1corphq_smtp_ad...@tcs.mil.in not "1CorpHQ"! That "/emailaddress" is, despite appearances to the contrary, part of the subject CN and not a separate RDN component. > issuer_CN=CA/emailAddress=ca_ad...@bel.co.in, Ditto here, though that is not a problem. > Aug 4 11:52:29 AHQ postfix/smtp[11652]: Trusted TLS connection > established to 201.123.1.4[201.123.1.4]:25: TLSv1.2 with cipher > ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits) The certificate chain is valid, but the name does not match. > tls_policy entry is given below > > [201.123.1.4]:25 secure match=1CorpHQ Do make sure that the transport table entry is: 1CorpHQ.tcs.mil.in smtp:[201.123.1.4]:25 and not some variant. On the other hand, I would have gone with just: transport: 1CorpHQ.tcs.mil.in smtp:[201.123.1.4] tls_policy: [201.123.1.4] secure match=1CorpHQ i.e. leave off the implicit ":25" in both. Of course your real problem is the "/emailaddress=..." in the subject CN. You posted only the text form of the certificate, the evidence would have been more conclusion with the actual PEM certificate included. -- Viktor.
Re: postfix-tls error
> On Thu, Aug 03, 2017 at 12:19:55PM +0530, hyndavirap...@bel.co.in wrote: > >> > He's not posted the configuration of the sending system or >> > its logs. This is a waste of everyone's time. > > The relevant logging is the TLS-related logging from the sending > postfix/smtp client process that happens *before* the message is > finally deferred and is enabled via smtp_tls_loglevel=1. > >> smtp_enforce_tls = yes > > Instead, "smtp_tls_security_level = encrypt". > >> smtp_tls_loglevel = 1 >> smtp_tls_policy_maps = hash:/etc/postfix/tls_policy > > Post the relevant tls policy table entry. > >> smtp_use_tls = yes > > This is unnecessary. > >> transport_maps = hash:/etc/postfix/transportmap >> >> Aug 3 12:11:54 AHQ postfix/smtp[8325]: 4B68168543FC: >> to=, orig_to= , >> relay=201.123.1.4[201.123.1.4]:25, delay=34, delays=34/0/0/0, dsn=4.7.5, >> status=deferred (Server certificate not verified) > > The server certificate failed to verify. Perhaps expired, perhaps > not issued by the CA you've configured, or a missing intermediate > certificate, or the certificate is not suitable for TLS (maybe it > has some other extended key usage), or ... > >> Can you help me to solve this problem > > Not without the requested logging, and copy of the server and CA > certificates. > > -- > Viktor. > hi Viktor, TLS logging is as below, Aug 4 11:52:29 AHQ postfix/smtp[11652]: initializing the client-side TLS engine Aug 4 11:52:29 AHQ postfix/smtp[11652]: 201.123.1.4[201.123.1.4]:25: TLS cipher list "aNULL:-aNULL:ALL:!EXPORT:!LOW:+RC4:@STRENGTH:!aNULL" Aug 4 11:52:29 AHQ postfix/smtp[11652]: SSL_connect:before/connect initialization Aug 4 11:52:29 AHQ postfix/smtp[11652]: SSL_connect:SSLv2/v3 write client hello A Aug 4 11:52:29 AHQ postfix/smtp[11652]: SSL_connect:SSLv3 read server hello A Aug 4 11:52:29 AHQ postfix/smtp[11652]: 201.123.1.4[201.123.1.4]:25: certificate verification depth=1 verify=1 subject=/C=IN/ST=KARNATAKA/L=BANGALORE/O=BEL/OU=CRL/CN=CA/emailAddress=ca_ad...@bel.co.in Aug 4 11:52:29 AHQ postfix/smtp[11652]: 201.123.1.4[201.123.1.4]:25: certificate verification depth=0 verify=1 subject=/C=IN/ST=KARNATAKA/L=BANGALORE/O=BEL/OU=CRL/CN=1CorpHQ/emailaddress=1corphq_smtp_ad...@tcs.mil.in Aug 4 11:52:29 AHQ postfix/smtp[11652]: SSL_connect:SSLv3 read server certificate A Aug 4 11:52:29 AHQ postfix/smtp[11652]: SSL_connect:SSLv3 read server key exchange A Aug 4 11:52:29 AHQ postfix/smtp[11652]: SSL_connect:SSLv3 read server done A Aug 4 11:52:29 AHQ postfix/smtp[11652]: SSL_connect:SSLv3 write client key exchange A Aug 4 11:52:29 AHQ postfix/smtp[11652]: SSL_connect:SSLv3 write change cipher spec A Aug 4 11:52:29 AHQ postfix/smtp[11652]: SSL_connect:SSLv3 write finished A Aug 4 11:52:29 AHQ postfix/smtp[11652]: SSL_connect:SSLv3 flush data Aug 4 11:52:29 AHQ postfix/smtp[11652]: SSL_connect:SSLv3 read server session ticket A Aug 4 11:52:29 AHQ postfix/smtp[11652]: SSL_connect:SSLv3 read finished A Aug 4 11:52:29 AHQ postfix/smtp[11652]: 201.123.1.4[201.123.1.4]:25 CommonName 1CorpHQ/emailaddress=1corphq_smtp_ad...@tcs.mil.in Aug 4 11:52:29 AHQ postfix/smtp[11652]: 201.123.1.4[201.123.1.4]:25: subject_CN=1CorpHQ/emailaddress=1corphq_smtp_ad...@tcs.mil.in, issuer_CN=CA/emailAddress=ca_ad...@bel.co.in, fingerprint=99:EE:C4:42:4B:89:4F:1D:4C:93:18:48:7B:EA:90:9D, pkey_fingerprint=5D:0D:58:AF:8B:A8:2C:D5:5F:9F:D2:DB:29:89:57:BD Aug 4 11:52:29 AHQ postfix/smtp[11652]: Trusted TLS connection established to 201.123.1.4[201.123.1.4]:25: TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits) Aug 4 11:52:29 AHQ postfix/smtp[11652]: 249ED60E5225: to= , orig_to= , relay=201.123.1.4[201.123.1.4]:25, delay=0.05, delays=0.04/0.01/0.01/0, dsn=4.7.5, status=deferred (Server certificate not verified) tls_policy entry is given below [201.123.1.4]:25secure match=1CorpHQ I have checked server certificate against ca cert using openssl command. it is fine [root@AHQ certs]# openssl verify -verbose -CAfile cacert.pem 1corphq_smtp_ad...@tcs.mil.in.pem 1corphq_smtp_ad...@tcs.mil.in.pem: OK and the same ca certificate is existing in ca-bundle.crt I'm attaching 1CorpHQ server certificate details with the mail -- Thanks & Regards Hyndavi rapuru Member( Research Staff) Central Research Laboratory Bharat Electronics Ltd Jalahalli Bangalore- 560 013 Int Ph No: 134 Off Ph No: 080-28381125 Off Fax No: 28381168 कागज़ के 3000 पन्नों के लिए एक पेड़ को काटा जाता है... पेड़ बचाएँ... पेड़ों का संरक्षण करें... हरियाली लाएँ... इस मेल का या इसकी किसी फाइल का प्रिंट तब तक न लें जब तक सचमुच ज़रूरत न हो Every 3000 Sheets of paper costs us a tree.. Save trees... Conserve Trees. Don't print this email or any Files unless you really need to Confidentiality Notice/गोपनीय सूचना इस इलेक्ट्रॉनिक संदेश में शामिल जानकारी और इस संदेश के साथ दिया गया संलग्नक केवल प्रेषिती के अनन्य
Re: postfix-tls error
On Thu, Aug 03, 2017 at 12:19:55PM +0530, hyndavirap...@bel.co.in wrote: > > He's not posted the configuration of the sending system or > > its logs. This is a waste of everyone's time. The relevant logging is the TLS-related logging from the sending postfix/smtp client process that happens *before* the message is finally deferred and is enabled via smtp_tls_loglevel=1. > smtp_enforce_tls = yes Instead, "smtp_tls_security_level = encrypt". > smtp_tls_loglevel = 1 > smtp_tls_policy_maps = hash:/etc/postfix/tls_policy Post the relevant tls policy table entry. > smtp_use_tls = yes This is unnecessary. > transport_maps = hash:/etc/postfix/transportmap > > Aug 3 12:11:54 AHQ postfix/smtp[8325]: 4B68168543FC: > to=, orig_to= , > relay=201.123.1.4[201.123.1.4]:25, delay=34, delays=34/0/0/0, dsn=4.7.5, > status=deferred (Server certificate not verified) The server certificate failed to verify. Perhaps expired, perhaps not issued by the CA you've configured, or a missing intermediate certificate, or the certificate is not suitable for TLS (maybe it has some other extended key usage), or ... > Can you help me to solve this problem Not without the requested logging, and copy of the server and CA certificates. -- Viktor.
Re: postfix-tls error
> On Wed, Aug 02, 2017 at 10:00:58AM -0500, Noel Jones wrote: > >> >> smtpd_tls_loglevel = 2 >> > >> > Change that to 1, and also set: >> > >> > smtp_tls_security_level = 1 >> >> >> Oops, that should be >> >>smtp_tls_loglevel = 1 > > Indeed a typo, thanks for the corection, ... and then the OP must > *POST* the resulting logging. > > He's not posted the configuration of the sending system or > its logs. This is a waste of everyone's time. > > -- > Viktor. > Hi viktor, By mistake, i have posted receiving server configuration. Below is the configuration of the sending system bounce_queue_lifetime = 40s command_directory = /usr/sbin config_directory = /etc/postfix daemon_directory = /usr/libexec/postfix data_directory = /var/lib/postfix debug_peer_level = 2 debugger_command = PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin ddd $daemon_directory/$process_name $process_id & sleep 5 html_directory = no inet_interfaces = all inet_protocols = all mail_owner = postfix mailq_path = /usr/bin/mailq manpage_directory = /usr/share/man maximal_queue_lifetime = 8h mydestination = $myhostname.$mydomain,$myhostname, $myhostname, localhost.localdomain mydomain = tcs.mil.in myhostname = AHQserver.tcs.mil.in mynetworks = 127.0.0.0/8, 201.123.80.0/24, 201.123.1.0/24, 201.123.2.0/24 mynetworks_style = subnet newaliases_path = /usr/bin/newaliases queue_directory = /var/spool/postfix queue_run_delay = 30s readme_directory = /usr/share/doc/postfix-2.6.6/README_FILES sample_directory = /usr/share/doc/postfix-2.6.6/samples sendmail_path = /usr/sbin/sendmail setgid_group = postdrop smtp_enforce_tls = yes smtp_tls_CAfile = /etc/new_pki/tls/certs/ca-bundle.crt smtp_tls_loglevel = 1 smtp_tls_policy_maps = hash:/etc/postfix/tls_policy smtp_use_tls = yes smtpd_starttls_timeout = 300s smtpd_tls_CApath = /root/hyndavi/certs smtpd_tls_ask_ccert = no smtpd_tls_auth_only = no smtpd_tls_cert_file = /root/hyndavi/certs/ahq_smtp_ad...@tcs.mil.in.pem smtpd_tls_key_file = /root/hyndavi/certs/ahq_smtp_ad...@tcs.mil.in.key smtpd_tls_security_level = encrypt transport_maps = hash:/etc/postfix/transportmap unknown_local_recipient_reject_code = 550 virtual_alias_maps = ldap:/etc/postfix/virtual_alias_map_ldapusers, ldap:/etc/postfix/ldapdistlist.cf virtual_gid_maps = static:5000 virtual_mailbox_base = /var/mail/vmail virtual_mailbox_domains = AHQ.tcs.mil.in virtual_mailbox_maps = ldap:/etc/postfix/virtual_mailbox_ldapusers virtual_minimum_uid = 1000 virtual_uid_maps = static:5000 As i have already told ca-bundle.crt is having ca certificate. Both the sending and receiving server certificates have been generated with the same CA certificate. CA is a self signed certificate. After doing configuration changes whatever have been suggested, I have sent mail from AHQ server to 1CorpHQ server. below is the Log Aug 3 12:11:54 AHQ postfix/smtp[8325]: 4B68168543FC: to=, orig_to= , relay=201.123.1.4[201.123.1.4]:25, delay=34, delays=34/0/0/0, dsn=4.7.5, status=deferred (Server certificate not verified) Can you help me to solve this problem -- Thanks & Regards Hyndavi rapuru Member( Research Staff) Central Research Laboratory Bharat Electronics Ltd Jalahalli Bangalore- 560 013 Int Ph No: 134 Off Ph No: 080-28381125 Off Fax No: 28381168 कागज़ के 3000 पन्नों के लिए एक पेड़ को काटा जाता है... पेड़ बचाएँ... पेड़ों का संरक्षण करें... हरियाली लाएँ... इस मेल का या इसकी किसी फाइल का प्रिंट तब तक न लें जब तक सचमुच ज़रूरत न हो Every 3000 Sheets of paper costs us a tree.. Save trees... Conserve Trees. Don't print this email or any Files unless you really need to Confidentiality Notice/गोपनीय सूचना इस इलेक्ट्रॉनिक संदेश में शामिल जानकारी और इस संदेश के साथ दिया गया संलग्नक केवल प्रेषिती के अनन्य इस्तेमाल के लिए है और इसमें गोपनीय या विशेषाधिकार प्राप्त जानकारी शामिल हो सकती है । यदि आप आशयित प्राप्तकर्ता नहीं हैं, तो कृपया तुरंत भारत इलेक्ट्रॉनिक्स के प्रेषक को बताएँ या supp...@bel.co.in पर मेल द्वारा सूचित करें और इस संदेश की सभी प्रतियाँ और उसके साथ लगे संलग्नकों को नष्ट कर दें । The information contained in this electronic message and any attachments to this message are intended for the exclusive use of the addressee(s) and may contain confidential or privileged information. If you are not the intended recipient, please notify the sender at Bharat Electronics or supp...@bel.co.in immediately and destroy all copies of this message and any attachments.
Re: postfix-tls error
On Wed, Aug 02, 2017 at 10:00:58AM -0500, Noel Jones wrote: > >> smtpd_tls_loglevel = 2 > > > > Change that to 1, and also set: > > > > smtp_tls_security_level = 1 > > > Oops, that should be > >smtp_tls_loglevel = 1 Indeed a typo, thanks for the corection, ... and then the OP must *POST* the resulting logging. He's not posted the configuration of the sending system or its logs. This is a waste of everyone's time. -- Viktor.
Re: postfix-tls error
On 8/2/2017 2:19 AM, Viktor Dukhovni wrote: > On Wed, Aug 02, 2017 at 12:10:31PM +0530, hyndavirap...@bel.co.in wrote: > >> " Aug 2 11:21:34 AHQ postfix/smtp[6372]: BEC5D67928BD: >> to=, orig_to= , >> relay=201.123.1.4[201.123.1.4]:25, delay=0.06, delays=0.04/0.01/0.01/0, >> dsn=4.7.5, status=deferred (Server certificate not verified) " > > That's nice, but where's the SMTP client's TLS logging? > >> queue_run_delay = 30s > > Unrelated, but surely too short. > >> smtp_enforce_tls = yes > > Obsolete, instead set "smtp_tls_security_level = encrypt". > >> smtp_tls_CAfile = /etc/new_pki/tls/certs/ca-bundle.crt > > This has to be sufficient to verify the remote server's certificate. > >> smtp_tls_policy_maps = hash:/etc/postfix/tls_policy >> smtpd_tls_loglevel = 2 > > Change that to 1, and also set: > > smtp_tls_security_level = 1 Oops, that should be smtp_tls_loglevel = 1 > >> tls_policy file is as follows >> >> [201.123.1.4]:25 secure match=1CorpHQ >> >> "1CorpHQ" is exactly same as the CN field of the certificate > > Are there any DNS subject alternative names in the certificate? > Is it issued by a trusted CA? ... > >> How to solve the above error...I'm stuck at this point for a long time... >> Any help will be appreciated greatly... > > Post TLS logging, after setting the loglevel = 1. >
Re: postfix-tls error
> On Wed, Aug 02, 2017 at 12:10:31PM +0530, hyndavirap...@bel.co.in wrote: >> " Aug 2 11:21:34 AHQ postfix/smtp[6372]: BEC5D67928BD: >> to=, orig_to= , relay=201.123.1.4[201.123.1.4]:25, delay=0.06, delays=0.04/0.01/0.01/0, dsn=4.7.5, status=deferred (Server certificate not verified) " > That's nice, but where's the SMTP client's TLS logging? >> queue_run_delay = 30s > Unrelated, but surely too short. >> smtp_enforce_tls = yes > Obsolete, instead set "smtp_tls_security_level = encrypt". >> smtp_tls_CAfile = /etc/new_pki/tls/certs/ca-bundle.crt > This has to be sufficient to verify the remote server's certificate. >> smtp_tls_policy_maps = hash:/etc/postfix/tls_policy >> smtpd_tls_loglevel = 2 > Change that to 1, and also set: > smtp_tls_security_level = 1 >> tls_policy file is as follows >> [201.123.1.4]:25 secure match=1CorpHQ >> "1CorpHQ" is exactly same as the CN field of the certificate > Are there any DNS subject alternative names in the certificate? > Is it issued by a trusted CA? ... >> How to solve the above error...I'm stuck at this point for a long time... >> Any help will be appreciated greatly... > Post TLS logging, after setting the loglevel = 1. > -- > Viktor. mail flow is as follows 1. sending mail from Cdr.AHQ user to Cdr.1CorpHQ user 2. mail is reaching AHQ mail server successfully (by completing TLS negotiation successfully) 3. AHQ mail server identied that mail has to go to 1CorpHQ mailserver 4. TLS negotiation has started 5. BUt AHQ mail server not able to verify 1CorpHQ mail server certificate I have posted 1CorpHQ mail server postconf. For AHQ server also configuration is same except hostname and virtual_mailbox_domain name. -- Thanks & Regards Hyndavi rapuru Member( Research Staff) Central Research Laboratory Bharat Electronics Ltd Jalahalli Bangalore- 560 013 Int Ph No: 134 Off Ph No: 080-28381125 Off Fax No: 28381168 कागज़ के 3000 पन्नों के लिए एक पेड़ को काटा जाता है... पेड़ बचाएँ... पेड़ों का संरक्षण करें... हरियाली लाएँ... इस मेल का या इसकी किसी फाइल का प्रिंट तब तक न लें जब तक सचमुच ज़रूरत न हो Every 3000 Sheets of paper costs us a tree.. Save trees... Conserve Trees. Don't print this email or any Files unless you really need to Confidentiality Notice/गोपनीय सूचना इस इलेक्ट्रॉनिक संदेश में शामिल जानकारी और इस संदेश के साथ दिया गया संलग्नक केवल प्रेषिती के अनन्य इस्तेमाल के लिए है और इसमें गोपनीय या विशेषाधिकार प्राप्त जानकारी शामिल हो सकती है । यदि आप आशयित प्राप्तकर्ता नहीं हैं, तो कृपया तुरंत भारत इलेक्ट्रॉनिक्स के प्रेषक को बताएँ या supp...@bel.co.in पर मेल द्वारा सूचित करें और इस संदेश की सभी प्रतियाँ और उसके साथ लगे संलग्नकों को नष्ट कर दें । The information contained in this electronic message and any attachments to this message are intended for the exclusive use of the addressee(s) and may contain confidential or privileged information. If you are not the intended recipient, please notify the sender at Bharat Electronics or supp...@bel.co.in immediately and destroy all copies of this message and any attachments. कागज़ के 3000 पन्नों के लिए एक पेड़ को काटा जाता है... पेड़ बचाएँ... पेड़ों का संरक्षण करें... हरियाली लाएँ... इस मेल का या इसकी किसी फाइल का प्रिंट तब तक न लें जब तक सचमुच ज़रूरत न हो Every 3000 Sheets of paper costs us a tree.. Save trees... Conserve Trees. Don't print this email or any Files unless you really need to Confidentiality Notice/गोपनीय सूचना इस इलेक्ट्रॉनिक संदेश में शामिल जानकारी और इस संदेश के साथ दिया गया संलग्नक केवल प्रेषिती के अनन्य इस्तेमाल के लिए है और इसमें गोपनीय या विशेषाधिकार प्राप्त जानकारी शामिल हो सकती है । यदि आप आशयित प्राप्तकर्ता नहीं हैं, तो कृपया तुरंत भारत इलेक्ट्रॉनिक्स के प्रेषक को बताएँ या supp...@bel.co.in पर मेल द्वारा सूचित करें और इस संदेश की सभी प्रतियाँ और उसके साथ लगे संलग्नकों को नष्ट कर दें । The information contained in this electronic message and any attachments to this message are intended for the exclusive use of the addressee(s) and may contain confidential or privileged information. If you are not the intended recipient, please notify the sender at Bharat Electronics or supp...@bel.co.in immediately and destroy all copies of this message and any attachments.
Re: postfix-tls error
> On Wed, Aug 02, 2017 at 12:10:31PM +0530, hyndavirap...@bel.co.in wrote: >> " Aug 2 11:21:34 AHQ postfix/smtp[6372]: BEC5D67928BD: >> to=, orig_to= , relay=201.123.1.4[201.123.1.4]:25, delay=0.06, delays=0.04/0.01/0.01/0, dsn=4.7.5, status=deferred (Server certificate not verified) " > That's nice, but where's the SMTP client's TLS logging? >> queue_run_delay = 30s > Unrelated, but surely too short. >> smtp_enforce_tls = yes > Obsolete, instead set "smtp_tls_security_level = encrypt". >> smtp_tls_CAfile = /etc/new_pki/tls/certs/ca-bundle.crt > This has to be sufficient to verify the remote server's certificate. >> smtp_tls_policy_maps = hash:/etc/postfix/tls_policy >> smtpd_tls_loglevel = 2 > Change that to 1, and also set: > smtp_tls_security_level = 1 >> tls_policy file is as follows >> [201.123.1.4]:25 secure match=1CorpHQ >> "1CorpHQ" is exactly same as the CN field of the certificate > Are there any DNS subject alternative names in the certificate? > Is it issued by a trusted CA? ... >> How to solve the above error...I'm stuck at this point for a long time... >> Any help will be appreciated greatly... > Post TLS logging, after setting the loglevel = 1. > -- > Viktor. >> smtp_tls_CAfile = /etc/new_pki/tls/certs/ca-bundle.crt > This has to be sufficient to verify the remote server's certificate. Both the server certificates are generated from the same CA and the same CA certificate has been added into ca-bundle.crt CA certificate is self signed certificate. I have changed smtpd_tls_loglevel to 1. Even after that logs are same in maillog file. -- Thanks & Regards Hyndavi rapuru Member( Research Staff) Central Research Laboratory Bharat Electronics Ltd Jalahalli Bangalore- 560 013 Int Ph No: 134 Off Ph No: 080-28381125 Off Fax No: 28381168 कागज़ के 3000 पन्नों के लिए एक पेड़ को काटा जाता है... पेड़ बचाएँ... पेड़ों का संरक्षण करें... हरियाली लाएँ... इस मेल का या इसकी किसी फाइल का प्रिंट तब तक न लें जब तक सचमुच ज़रूरत न हो Every 3000 Sheets of paper costs us a tree.. Save trees... Conserve Trees. Don't print this email or any Files unless you really need to Confidentiality Notice/गोपनीय सूचना इस इलेक्ट्रॉनिक संदेश में शामिल जानकारी और इस संदेश के साथ दिया गया संलग्नक केवल प्रेषिती के अनन्य इस्तेमाल के लिए है और इसमें गोपनीय या विशेषाधिकार प्राप्त जानकारी शामिल हो सकती है । यदि आप आशयित प्राप्तकर्ता नहीं हैं, तो कृपया तुरंत भारत इलेक्ट्रॉनिक्स के प्रेषक को बताएँ या supp...@bel.co.in पर मेल द्वारा सूचित करें और इस संदेश की सभी प्रतियाँ और उसके साथ लगे संलग्नकों को नष्ट कर दें । The information contained in this electronic message and any attachments to this message are intended for the exclusive use of the addressee(s) and may contain confidential or privileged information. If you are not the intended recipient, please notify the sender at Bharat Electronics or supp...@bel.co.in immediately and destroy all copies of this message and any attachments. कागज़ के 3000 पन्नों के लिए एक पेड़ को काटा जाता है... पेड़ बचाएँ... पेड़ों का संरक्षण करें... हरियाली लाएँ... इस मेल का या इसकी किसी फाइल का प्रिंट तब तक न लें जब तक सचमुच ज़रूरत न हो Every 3000 Sheets of paper costs us a tree.. Save trees... Conserve Trees. Don't print this email or any Files unless you really need to Confidentiality Notice/गोपनीय सूचना इस इलेक्ट्रॉनिक संदेश में शामिल जानकारी और इस संदेश के साथ दिया गया संलग्नक केवल प्रेषिती के अनन्य इस्तेमाल के लिए है और इसमें गोपनीय या विशेषाधिकार प्राप्त जानकारी शामिल हो सकती है । यदि आप आशयित प्राप्तकर्ता नहीं हैं, तो कृपया तुरंत भारत इलेक्ट्रॉनिक्स के प्रेषक को बताएँ या supp...@bel.co.in पर मेल द्वारा सूचित करें और इस संदेश की सभी प्रतियाँ और उसके साथ लगे संलग्नकों को नष्ट कर दें । The information contained in this electronic message and any attachments to this message are intended for the exclusive use of the addressee(s) and may contain confidential or privileged information. If you are not the intended recipient, please notify the sender at Bharat Electronics or supp...@bel.co.in immediately and destroy all copies of this message and any attachments.
Re: postfix-tls error
On Wed, Aug 02, 2017 at 12:10:31PM +0530, hyndavirap...@bel.co.in wrote: > " Aug 2 11:21:34 AHQ postfix/smtp[6372]: BEC5D67928BD: > to=, orig_to= , > relay=201.123.1.4[201.123.1.4]:25, delay=0.06, delays=0.04/0.01/0.01/0, > dsn=4.7.5, status=deferred (Server certificate not verified) " That's nice, but where's the SMTP client's TLS logging? > queue_run_delay = 30s Unrelated, but surely too short. > smtp_enforce_tls = yes Obsolete, instead set "smtp_tls_security_level = encrypt". > smtp_tls_CAfile = /etc/new_pki/tls/certs/ca-bundle.crt This has to be sufficient to verify the remote server's certificate. > smtp_tls_policy_maps = hash:/etc/postfix/tls_policy > smtpd_tls_loglevel = 2 Change that to 1, and also set: smtp_tls_security_level = 1 > tls_policy file is as follows > > [201.123.1.4]:25 secure match=1CorpHQ > > "1CorpHQ" is exactly same as the CN field of the certificate Are there any DNS subject alternative names in the certificate? Is it issued by a trusted CA? ... > How to solve the above error...I'm stuck at this point for a long time... > Any help will be appreciated greatly... Post TLS logging, after setting the loglevel = 1. -- Viktor.
postfix-tls error
Hi, I have enabled tls in 2 postfix servers(MTA1, MTA2). when i try to send mail from simple java client to server it is working fine. TLS negotiation happened properly. But when MTA1 try to send mail to other MTA, mail is getting deferred by writing following log " Aug 2 11:21:34 AHQ postfix/smtp[6372]: BEC5D67928BD: to=, orig_to= , relay=201.123.1.4[201.123.1.4]:25, delay=0.06, delays=0.04/0.01/0.01/0, dsn=4.7.5, status=deferred (Server certificate not verified) " "postconf -n " output is as follows bounce_queue_lifetime = 40s command_directory = /usr/sbin config_directory = /etc/postfix daemon_directory = /usr/libexec/postfix data_directory = /var/lib/postfix debug_peer_level = 2 debugger_command = PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin ddd $daemon_directory/$process_name $process_id & sleep 5 html_directory = no inet_interfaces = all inet_protocols = all mail_owner = postfix mailbox_size_limit = 5000 mailq_path = /usr/bin/mailq manpage_directory = /usr/share/man maximal_queue_lifetime = 8h mydestination = $myhostname.$mydomain,$myhostname, $myhostname, localhost.localdomain mydomain = tcs.mil.in myhostname = 1CorpHQserver.tcs.mil.in mynetworks = 127.0.0.0/8, 201.123.80.0/24, 201.123.2.0/24, 201.123.1.0/24 mynetworks_style = subnet newaliases_path = /usr/bin/newaliases queue_directory = /var/spool/postfix queue_run_delay = 30s readme_directory = /usr/share/doc/postfix-2.6.6/README_FILES sample_directory = /usr/share/doc/postfix-2.6.6/samples sendmail_path = /usr/sbin/sendmail setgid_group = postdrop smtp_enforce_tls = yes smtp_tls_CAfile = /etc/new_pki/tls/certs/ca-bundle.crt smtp_tls_policy_maps = hash:/etc/postfix/tls_policy smtpd_starttls_timeout = 300s smtpd_tls_CApath = /etc/postfix_certs_24_7_17/ca_cert smtpd_tls_ask_ccert = no smtpd_tls_auth_only = no smtpd_tls_cert_file = /etc/postfix_certs_24_7_17/1corphq_smtp_ad...@tcs.mil.in.pem smtpd_tls_key_file = /etc/postfix_certs_24_7_17/1corphq_smtp_ad...@tcs.mil.in.key smtpd_tls_loglevel = 2 smtpd_tls_security_level = encrypt transport_maps = hash:/etc/postfix/transportmap unknown_local_recipient_reject_code = 550 virtual_alias_maps = ldap:/etc/postfix/virtual_alias_map_ldapusers, ldap:/etc/postfix/ldapdistlist.cf virtual_gid_maps = static:6000 virtual_mailbox_base = /var/mail/vmail virtual_mailbox_domains = 1CorpHQ.tcs.mil.in virtual_mailbox_maps = ldap:/etc/postfix/virtual_mailbox_ldapusers virtual_minimum_uid = 1000 virtual_uid_maps = static:6000 = tls_policy file is as follows [201.123.1.4]:25secure match=1CorpHQ "1CorpHQ" is exactly same as the CN field of the certificate How to solve the above error...I'm stuck at this point for a long time... Any help will be appreciated greatly... -- Thanks & Regards Hyndavi rapuru Member( Research Staff) Central Research Laboratory Bharat Electronics Ltd Jalahalli Bangalore- 560 013 Int Ph No: 134 Off Ph No: 080-28381125 Off Fax No: 28381168 कागज़ के 3000 पन्नों के लिए एक पेड़ को काटा जाता है... पेड़ बचाएँ... पेड़ों का संरक्षण करें... हरियाली लाएँ... इस मेल का या इसकी किसी फाइल का प्रिंट तब तक न लें जब तक सचमुच ज़रूरत न हो Every 3000 Sheets of paper costs us a tree.. Save trees... Conserve Trees. Don't print this email or any Files unless you really need to Confidentiality Notice/गोपनीय सूचना इस इलेक्ट्रॉनिक संदेश में शामिल जानकारी और इस संदेश के साथ दिया गया संलग्नक केवल प्रेषिती के अनन्य इस्तेमाल के लिए है और इसमें गोपनीय या विशेषाधिकार प्राप्त जानकारी शामिल हो सकती है । यदि आप आशयित प्राप्तकर्ता नहीं हैं, तो कृपया तुरंत भारत इलेक्ट्रॉनिक्स के प्रेषक को बताएँ या supp...@bel.co.in पर मेल द्वारा सूचित करें और इस संदेश की सभी प्रतियाँ और उसके साथ लगे संलग्नकों को नष्ट कर दें । The information contained in this electronic message and any attachments to this message are intended for the exclusive use of the addressee(s) and may contain confidential or privileged information. If you are not the intended recipient, please notify the sender at Bharat Electronics or supp...@bel.co.in immediately and destroy all copies of this message and any attachments. कागज़ के 3000 पन्नों के लिए एक पेड़ को काटा जाता है... पेड़ बचाएँ... पेड़ों का संरक्षण करें... हरियाली लाएँ... इस मेल का या इसकी किसी फाइल का प्रिंट तब तक न लें जब तक सचमुच ज़रूरत न हो Every 3000 Sheets of paper costs us a tree.. Save trees... Conserve Trees. Don't print this email or any Files unless you really need to Confidentiality Notice/गोपनीय सूचना इस इलेक्ट्रॉनिक संदेश में शामिल जानकारी और इस संदेश के साथ दिया गया संलग्नक केवल प्रेषिती के अनन्य इस्तेमाल के लिए है और इसमें गोपनीय या विशेषाधिकार प्राप्त जानकारी शामिल हो सकती है । यदि आप आशयित प्राप्तकर्ता नहीं हैं, तो कृपया तुरंत भारत इलेक्ट्रॉनिक्स के प्रेषक को बताएँ या supp...@bel.co.in पर मेल द्वारा सूचित करें और इस संदेश की सभी प्रतियाँ और उसके साथ लगे संलग्नकों को नष्ट कर दें
Re: postfix tls error on port 587
On Sun, Nov 01, 2015 at 08:08:46PM -0500, David Mehler wrote: > Thanks. Don't ask me how, but flipping the tls protocols from the list > I had to high and now the 587 works. No idea what that means, but so long as you're satisfied... -- Viktor.
Re: Postfix tls error
> On Sat, Oct 31, 2015 at 04:10:33PM +0530, hyndavirap...@bel.co.in wrote: > >> tls_policy file contains: >> >> [201.123.80.173]:25 encrypt match=AHQserver > > Is the name in the certificate really not fully-qualified? The > "encrypt" policy does not entail certificate verification. > Try: > > [201.123.80.173]:25 secure match=AHQserver > >> transport map details are as follows >> >> AHQ.tcs.mil.example relay:[201.123.80.173]:25 > > That's fine. > >> Subject: C=Example, ST=karnataka, O=bel, OU=crl, >> CN=AHQserver/emailAddress=ahqserver_smtp_ad...@tcs.mil.example > > Is there a subjectAlternativeName extension in the certificate? > > When DNS names are present in the SAN extension, the subject > CommonName is ignored. > > -- > Viktor. > Thanks for the reply... by changing following line of tls_policy [201.123.80.173]:25 encrypt match=AHQserver with [201.123.80.173]:25 secure match=AHQserver solved my problem. thank you so much... -- hyndavi Every 3000 Sheets of paper costs us a tree.. Save trees... Conserve Trees. Don't print this email or any Files unless you really need to Confidentiality Notice The information contained in this electronic message and any attachments to this message are intended for the exclusive use of the addressee(s) and may contain confidential or privileged information. If you are not the intended recipient, please notify the sender at Bharat Electronics or supp...@bel.co.in immediately and destroy all copies of this message and any attachments.
Re: postfix tls error on port 587
On Sun, Nov 01, 2015 at 02:49:20PM -0500, David Mehler wrote: > Still stuck. I've got the below not sure if it helps, it does show > that on 143 and 587 client wise no peer is being sent or verified. > > openssl s_client -starttls smtp -connect localhost:587 > CONNECTED(0003) > 34379270664:error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown > protocol:/usr/src/secure/lib/libssl/../../../crypto/openssl/ssl/s23_clnt.c:782: The thing on port 587 is not speaking any recognizable form of TLS. Logs from the peer would be quite useful in this context. > openssl s_client -starttls smtp -connect localhost:143 > CONNECTED(0003) Well, port 143 speaks IMAP not SMTP so "starttls smtp" is not likely to get far for that port. > # TLS parameters > smtpd_tls_auth_only = yes > smtpd_tls_mandatory_ciphers = high > smtpd_tls_mandatory_exclude_ciphers = aNULL, eNULL, EXPORT, DES, RC4, > MD5, PSK, aECDH, EDH-DSS-DES-CBC3-SHA, EDH-RSA-DES-CDC3-SHA, KRB5-DE5, > CBC3-SHA That looks rather like a random hodge-podge. Try: smtpd_tls_ciphers = medium instead. > smtp_tls_mandatory_exclude_ciphers = aNULL, eNULL, EXPORT, DES, RC4, > MD5, PSK, aECDH, EDH-DSS-DES-CBC3-SHA, EDH-RSA-DES-CDC3-SHA, KRB5-DE5, > CBC3-SHA Ditto. > Any help appreciated. Logs. -- Viktor.
Re: postfix tls error on port 587
Hi, Thanks. The only thing I have in the maillog is a connection made, tls established, then the connection is dropped. Thanks. Dave. On 11/1/15, Viktor Dukhovniwrote: > On Sun, Nov 01, 2015 at 02:49:20PM -0500, David Mehler wrote: > >> Still stuck. I've got the below not sure if it helps, it does show >> that on 143 and 587 client wise no peer is being sent or verified. >> >> openssl s_client -starttls smtp -connect localhost:587 >> CONNECTED(0003) >> 34379270664:error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown >> protocol:/usr/src/secure/lib/libssl/../../../crypto/openssl/ssl/s23_clnt.c:782: > > The thing on port 587 is not speaking any recognizable form of TLS. > Logs from the peer would be quite useful in this context. > >> openssl s_client -starttls smtp -connect localhost:143 >> CONNECTED(0003) > > Well, port 143 speaks IMAP not SMTP so "starttls smtp" is not > likely to get far for that port. > >> # TLS parameters >> smtpd_tls_auth_only = yes >> smtpd_tls_mandatory_ciphers = high >> smtpd_tls_mandatory_exclude_ciphers = aNULL, eNULL, EXPORT, DES, RC4, >> MD5, PSK, aECDH, EDH-DSS-DES-CBC3-SHA, EDH-RSA-DES-CDC3-SHA, KRB5-DE5, >> CBC3-SHA > > That looks rather like a random hodge-podge. Try: > > smtpd_tls_ciphers = medium > > instead. > >> smtp_tls_mandatory_exclude_ciphers = aNULL, eNULL, EXPORT, DES, RC4, >> MD5, PSK, aECDH, EDH-DSS-DES-CBC3-SHA, EDH-RSA-DES-CDC3-SHA, KRB5-DE5, >> CBC3-SHA > > Ditto. > >> Any help appreciated. > > Logs. > > -- > Viktor. >
Re: postfix tls error on port 587
Hello, Thanks. Don't ask me how, but flipping the tls protocols from the list I had to high and now the 587 works. Imap on 143 still won't, but that's not for this list. The point is for the moment it is working. Thanks for all your help. Thanks. Dave. On 11/1/15, Viktor Dukhovniwrote: > On Sun, Nov 01, 2015 at 07:06:42PM -0500, David Mehler wrote: > >> Thanks. The only thing I have in the maillog is a connection made, tls >> established, then the connection is dropped. > > Not possible. Those logs don't match the report of a failed SSL > connection on the client side. > > -- > Viktor. >
Re: postfix tls error on port 587
Hello, Still stuck. I've got the below not sure if it helps, it does show that on 143 and 587 client wise no peer is being sent or verified. openssl s_client -starttls smtp -connect localhost:587 CONNECTED(0003) 34379270664:error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol:/usr/src/secure/lib/libssl/../../../crypto/openssl/ssl/s23_clnt.c:782: --- no peer certificate available --- No client certificate CA names sent --- SSL handshake has read 220 bytes and written 332 bytes --- New, (NONE), Cipher is (NONE) Secure Renegotiation IS NOT supported Compression: NONE Expansion: NONE --- openssl s_client -starttls smtp -connect localhost:587e :143 CONNECTED(0003) didn't found starttls in server response, try anyway... 34379270664:error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol:/usr/src/secure/lib/libssl/../../../crypto/openssl/ssl/s23_clnt.c:782: --- no peer certificate available --- No client certificate CA names sent --- SSL handshake has read 238 bytes and written 332 bytes --- New, (NONE), Cipher is (NONE) Secure Renegotiation IS NOT supported Compression: NONE Expansion: NONE --- Here's my postfix tls and sasl configuration: main.cf: # Dovecot sasl authentication smtpd_sasl_type = dovecot smtpd_sasl_path = private/auth smtpd_sasl_auth_enable = yes smtpd_sasl_local_domain = $mydomain broken_sasl_auth_clients = yes smtpd_sasl_security_options = noanonymous, noplaintext smtpd_sasl_tls_security_options = noanonymous #smtpd_sasl_authenticated_header = yes smtpd_recipient_restrictions = permit_mynetworks permit_sasl_authenticated reject_unauth_destination check_sender_access hash:/usr/local/etc/postfix/safe_addresses check_sender_access hash:/usr/local/etc/postfix/auto-whtlst check_client_access cidr:/usr/local/etc/postfix/spamfarms check_client_access cidr:/usr/local/etc/postfix/sinokorea.cidr permit_dnswl_client list.dnswl.org=127.0.[2..14].[1..3] check_reverse_client_hostname_access pcre:/usr/local/etc/postfix/fqrdns.pcre reject_unknown_reverse_client_hostname reject_non_fqdn_sender reject_non_fqdn_helo_hostname reject_invalid_helo_hostname reject_unknown_helo_hostname reject_unlisted_recipient reject_rbl_client b.barracudacentral.org reject_rbl_client zen.spamhaus.org reject_rbl_client psbl.surriel.com reject_rbl_client bl.spamcop.net reject_rbl_client cbl.abuseat.org reject_rhsbl_client dbl.spamhaus.org reject_rhsbl_sender dbl.spamhaus.org reject_rhsbl_helo dbl.spamhaus.org check_policy_service unix:private/spf-policy # Postfix Quota status service check_policy_service inet:127.0.0.1:12345 smtpd_data_restrictions = reject_unauth_pipelining # TLS parameters smtpd_tls_auth_only = yes smtpd_tls_mandatory_ciphers = high smtpd_tls_mandatory_exclude_ciphers = aNULL, eNULL, EXPORT, DES, RC4, MD5, PSK, aECDH, EDH-DSS-DES-CBC3-SHA, EDH-RSA-DES-CDC3-SHA, KRB5-DE5, CBC3-SHA smtpd_tls_eecdh_grade = strong # Offer opportunistic TLS (STARTTLS) to connections to this mail server. #smtpd_tls_security_level = may smtpd_tls_security_level = encrypt smtpd_tls_cert_file = /etc/ssl/certs/server.crt smtpd_tls_key_file = /etc/ssl/private/server.key smtpd_tls_CAfile = /etc/ssl/certs/cacert.crt # for smtpd pfs smtpd_tls_dh1024_param_file = ${config_directory}/dh2048.pem smtpd_tls_dh512_param_file = ${config_directory}/dh512.pem smtpd_tls_loglevel = 1 smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache smtpd_tls_received_header = yes # Use opportunistic TLS (STARTTLS) for outgoing mail if the remote server supports it. #smtp_tls_security_level = may smtp_tls_security_level = encrypt smtp_tls_mandatory_ciphers = high smtp_tls_mandatory_exclude_ciphers = aNULL, eNULL, EXPORT, DES, RC4, MD5, PSK, aECDH, EDH-DSS-DES-CBC3-SHA, EDH-RSA-DES-CDC3-SHA, KRB5-DE5, CBC3-SHA smtp_tls_loglevel = 1 smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache smtp_tls_CAfile = /etc/ssl/certs/cacert.crt Any help appreciated. Thanks. Dave. On 10/31/15, Viktor Dukhovniwrote: > On Sat, Oct 31, 2015 at 03:35:14PM -0400, David Mehler wrote: > >> Thank you. I apologize, let me clarify my statement. I have created my >> own CA on an offline machine which I use to sign all of my >> certificates. > > Good, that removes ambiguity. > >> When you say the client doesn't trust the server certificate, that's >> not the webmail, that's the submission service not trusting the >> postfix ServerCertificate, ServerKey, and ServerCAfile options? > > Whatever connects to your port 587 submission service is what's > not trusting the certificate, and sending an alert to that effect, > which the server logs. > >> >> Oct 30 12:12:01 ohio postfix/submission/smtpd[4795]: SSL_accept error >> >> from >> >> localhost[::1]: 0 >> >> Oct 30 12:12:01 ohio postfix/submission/smtpd[4795]: warning: TLS >> >> library >> >> problem: error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert >> >>
Re: postfix tls error on port 587
On Sun, Nov 01, 2015 at 07:06:42PM -0500, David Mehler wrote: > Thanks. The only thing I have in the maillog is a connection made, tls > established, then the connection is dropped. Not possible. Those logs don't match the report of a failed SSL connection on the client side. -- Viktor.
Re: Postfix tls error
> hyndavirap...@bel.co.example: >> 1. error log before adding "smtp_tls_CAfile" param is as follows >> > > I replaced the top-level domain name for privacy reasons. > >> postfix/smtp[3525]: certificate verification failed for >> 201.123.80.173[201.123.80.173]:25: untrusted issuer >> /C=EXAMPLE/ST=karnataka/L=bangalore/O=bel/OU=crl/CN=MilitaryMessagingCA/emailAddress=ca_ad...@bel.co.example > > The certificate could not be verified because an issuer in the > trust chain was not known. > >> postfix/smtp[3525]: 804E8232A0: to=, >> relay=201.123.80.173[201.123.80.173]:25, delay=10, >> delays=0.13/0.01/10/0, >> dsn=4.7.5, status=deferred (Server certificate not trusted) > > You require certificate verification, and thus mail is dederred. > >> 2. Error log after adding following param >> >> smtp_tls_CAfile = /root/hyndavi/CA_cert.pem >> >> postfix/smtp[6891]: 17A3F232B1: to= , >> relay=201.123.80.173[201.123.80.173]:25, delay=337, >> delays=327/0.02/10/0, >> dsn=4.7.5, status=deferred (Server certificate not verified) > > Now it knows the issuer, but the name in the certificate does not > match what Postfix expected. The default is to match the next-hop > domain but you can change that per-destination in smtp_tls_policy_maps > with the "match=" attribute, or globally with smtp_tls_secure_cert_match. > > Wietse > Thanks for the reply. I have added following line to main.cf smtp_tls_policy_maps = hash:/etc/postfix/tls_policy tls_policy file contains: [201.123.80.173]:25 encrypt match=AHQserver transport map details are as follows AHQ.tcs.mil.example relay:[201.123.80.173]:25 and server certificate details are Subject: C=Example, ST=karnataka, O=bel, OU=crl, CN=AHQserver/emailAddress=ahqserver_smtp_ad...@tcs.mil.example After adding smtp_tls_policy_maps also I'm getting same "server certificate not verified" error... Am i missing anything? Is tls_policy file details are proper? Thinking you in advance... -- Regards Hyndavi Every 3000 Sheets of paper costs us a tree.. Save trees... Conserve Trees. Don't print this email or any Files unless you really need to Confidentiality Notice The information contained in this electronic message and any attachments to this message are intended for the exclusive use of the addressee(s) and may contain confidential or privileged information. If you are not the intended recipient, please notify the sender at Bharat Electronics or supp...@bel.co.in immediately and destroy all copies of this message and any attachments.
Re: Postfix tls error
On Sat, Oct 31, 2015 at 04:10:33PM +0530, hyndavirap...@bel.co.in wrote: > tls_policy file contains: > > [201.123.80.173]:25 encrypt match=AHQserver Is the name in the certificate really not fully-qualified? The "encrypt" policy does not entail certificate verification. Try: [201.123.80.173]:25 secure match=AHQserver > transport map details are as follows > > AHQ.tcs.mil.example relay:[201.123.80.173]:25 That's fine. > Subject: C=Example, ST=karnataka, O=bel, OU=crl, > CN=AHQserver/emailAddress=ahqserver_smtp_ad...@tcs.mil.example Is there a subjectAlternativeName extension in the certificate? When DNS names are present in the SAN extension, the subject CommonName is ignored. -- Viktor.
Re: postfix tls error on port 587
Hello, Thank you. I apologize, let me clarify my statement. I have created my own CA on an offline machine which I use to sign all of my certificates. When you say the client doesn't trust the server certificate, that's not the webmail, that's the submission service not trusting the postfix ServerCertificate, ServerKey, and ServerCAfile options? Thanks. Dave. On 10/31/15, Viktor Dukhovniwrote: > On Sat, Oct 31, 2015 at 12:05:29PM -0400, David Mehler wrote: > >> I am using self-signed certificates via my own CA if that matters. > > A certificate is either self-signed, or issued by a CA. Which is it? > >> Oct 30 12:12:01 ohio postfix/submission/smtpd[4795]: SSL_accept error from >> localhost[::1]: 0 >> Oct 30 12:12:01 ohio postfix/submission/smtpd[4795]: warning: TLS library >> problem: error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown >> ca:/usr/src/secure/lib/libssl/../../../crypto/openssl/ssl/s3_pkt.c:1300:SSL >> alert number 48: > > TLS "alerts" are messages from the remote TLS stack to the local > TLS stack. It is the client does not trust the server certificate > and hangs up. The server just logs the client's reason for aborting > the connection. > >> I'm not sure the CA it's refering to. > > The issuer of the server certificate. > >> I do have my CA's public >> certificate defined in smtpd_tls_CAfile and have the smtp client >> defining smtp_tls_CAfile as the same file as the smtpd server. > > The client does not trust the server certificate. > > -- > Viktor. >
Re: postfix tls error on port 587
On Sat, Oct 31, 2015 at 03:35:14PM -0400, David Mehler wrote: > Thank you. I apologize, let me clarify my statement. I have created my > own CA on an offline machine which I use to sign all of my > certificates. Good, that removes ambiguity. > When you say the client doesn't trust the server certificate, that's > not the webmail, that's the submission service not trusting the > postfix ServerCertificate, ServerKey, and ServerCAfile options? Whatever connects to your port 587 submission service is what's not trusting the certificate, and sending an alert to that effect, which the server logs. > >> Oct 30 12:12:01 ohio postfix/submission/smtpd[4795]: SSL_accept error from > >> localhost[::1]: 0 > >> Oct 30 12:12:01 ohio postfix/submission/smtpd[4795]: warning: TLS library > >> problem: error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown > >> ca:/usr/src/secure/lib/libssl/../../../crypto/openssl/ssl/s3_pkt.c:1300:SSL > >> alert number 48: In this case the client is "[::1]". More light on this problem is shed in the client logs, rather than the server logs. -- Viktor.
postfix tls error on port 587
Hello, I'm running a FreeBSD 10.2 system, postfix 2.11.6, Openssl 1.0.1P. I'm working on setting up a webmail client to my existing Postfix/Dovecot/Mysql setup. I've tried two webmail clients both are giving me the below errors when the webmail client (postfix dovecot mysql the web server are all running on the same machine), atempts to send mail through port 587. I am using port 587 because I've got postscreen running on port 25. I am using self-signed certificates via my own CA if that matters. Here's the error: Oct 30 12:12:01 ohio postfix/submission/smtpd[4795]: connect from localhost[::1] Oct 30 12:12:01 ohio postfix/submission/smtpd[4795]: SSL_accept error from localhost[::1]: 0 Oct 30 12:12:01 ohio postfix/submission/smtpd[4795]: warning: TLS library problem: error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca:/usr/src/secure/lib/libssl/../../../crypto/openssl/ssl/s3_pkt.c:1300:SSL alert number 48: Oct 30 12:12:01 ohio postfix/submission/smtpd[4795]: lost connection after STARTTLS from localhost[::1] Oct 30 12:12:01 ohio postfix/submission/smtpd[4795]: disconnect from localhost[::1] I'm not sure the CA it's refering to. I do have my CA's public certificate defined in smtpd_tls_CAfile and have the smtp client defining smtp_tls_CAfile as the same file as the smtpd server. Again not sure if this matters I'm running Apache 2.4 and Php 5.6. I'd appreciate any suggestions. Thanks. Dave.
Re: postfix tls error on port 587
On Sat, Oct 31, 2015 at 12:05:29PM -0400, David Mehler wrote: > I am using self-signed certificates via my own CA if that matters. A certificate is either self-signed, or issued by a CA. Which is it? > Oct 30 12:12:01 ohio postfix/submission/smtpd[4795]: SSL_accept error from > localhost[::1]: 0 > Oct 30 12:12:01 ohio postfix/submission/smtpd[4795]: warning: TLS library > problem: error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown > ca:/usr/src/secure/lib/libssl/../../../crypto/openssl/ssl/s3_pkt.c:1300:SSL > alert number 48: TLS "alerts" are messages from the remote TLS stack to the local TLS stack. It is the client does not trust the server certificate and hangs up. The server just logs the client's reason for aborting the connection. > I'm not sure the CA it's refering to. The issuer of the server certificate. > I do have my CA's public > certificate defined in smtpd_tls_CAfile and have the smtp client > defining smtp_tls_CAfile as the same file as the smtpd server. The client does not trust the server certificate. -- Viktor.
Re: Postfix tls error
hyndavirap...@bel.co.in: > AHQ.tcs.mil.example relay:[201.123.80.173]:25 ... > [201.123.80.173]:25 encrypt match=AHQserver ... > CN=AHQserver/emailAddress=ahqserver_smtp_ad...@tcs.mil.example The match= requires a complete match (case-insensitive). You specify only a substring of the CN attribute. Wietse
Re: Postfix tls error
On Sat, Oct 31, 2015 at 10:16:37AM -0400, Wietse Venema wrote: > hyndavirap...@bel.co.in: > > AHQ.tcs.mil.example relay:[201.123.80.173]:25 > ... > > [201.123.80.173]:25 encrypt match=AHQserver > ... > > CN=AHQserver/emailAddress=ahqserver_smtp_ad...@tcs.mil.example > > The match= requires a complete match (case-insensitive). You specify > only a substring of the CN attribute. Well the CN is just the short name, the real problem "encrypt" and possibly an SAN DNS entries that preempt the CommonName from the subject DN. -- Viktor.
Re: Postfix tls error
hyndavirap...@bel.co.example: > 1. error log before adding "smtp_tls_CAfile" param is as follows > I replaced the top-level domain name for privacy reasons. > postfix/smtp[3525]: certificate verification failed for > 201.123.80.173[201.123.80.173]:25: untrusted issuer > /C=EXAMPLE/ST=karnataka/L=bangalore/O=bel/OU=crl/CN=MilitaryMessagingCA/emailAddress=ca_ad...@bel.co.example The certificate could not be verified because an issuer in the trust chain was not known. > postfix/smtp[3525]: 804E8232A0: to=, > relay=201.123.80.173[201.123.80.173]:25, delay=10, delays=0.13/0.01/10/0, > dsn=4.7.5, status=deferred (Server certificate not trusted) You require certificate verification, and thus mail is dederred. > 2. Error log after adding following param > > smtp_tls_CAfile = /root/hyndavi/CA_cert.pem > > postfix/smtp[6891]: 17A3F232B1: to= , > relay=201.123.80.173[201.123.80.173]:25, delay=337, delays=327/0.02/10/0, > dsn=4.7.5, status=deferred (Server certificate not verified) Now it knows the issuer, but the name in the certificate does not match what Postfix expected. The default is to match the next-hop domain but you can change that per-destination in smtp_tls_policy_maps with the "match=" attribute, or globally with smtp_tls_secure_cert_match. Wietse
Re: Postfix tls error
On Fri, Oct 30, 2015 at 09:20:05AM -0400, Wietse Venema wrote: > > postfix/smtp[6891]: 17A3F232B1: to=, > > relay=201.123.80.173[201.123.80.173]:25, delay=337, delays=327/0.02/10/0, > > dsn=4.7.5, status=deferred (Server certificate not verified) > > Now it knows the issuer, but the name in the certificate does not > match what Postfix expected. The default is to match the next-hop > domain but you can change that per-destination in smtp_tls_policy_maps > with the "match=" attribute, or globally with smtp_tls_secure_cert_match. Note that with a nexthop relay of [201.123.80.173], default matching the relay hostname won't work either. If the recipient domain does not appear in the peer certificate, then an explicit "match=..." in the destinatijon policy MUST be specified to match this SMTP server. -- Viktor.
Re: Postfix tls error
hyndavirap...@bel.co.in: > > Hi, > > I have enabled tls in 2 postfix servers(MTA1, MTA2). when i try to send > mail from simple java client to server it is working fine. TLS negotiation > happened properly. But when MTA1 try to send mail to other MTA, TLS is > failing by giving following error. > > "certificate verification failed for [zz.zz.zz.zz]:25: > untrusted issuer" Please provide the COMPLETE logfile record including the program name. > Yes, I am using self signed certificates for both the servers. Even CA is > self signed certificate. But I have placed the CA certificate at MTA1 > server and specified the path in "smtp_tls_CAfile". But even after that > i'm getting same error... Please provide "postconf -n" output. Wietse
Re: Postfix tls error
> On 2015-10-29 10:11, hyndavirap...@bel.co.in wrote: > > Every 3000 Sheets of paper costs us a tree.. Save trees... Conserve > Trees. Don't print this email or any Files unless you really need to this list might be the least appropriate place to spread such agenda. After all, a MTA is already saving trees by replacing paper mail with electronic messages. > Confidentiality Notice > The information contained in this electronic message and any > attachments to this message are intended for the exclusive use of > the addressee(s) and may contain confidential or privileged > information. If you are not the intended recipient, please notify > the sender at Bharat Electronics or supp...@bel.co.in immediately > and destroy all copies of this message and any attachments. Do I really have to contact Bharat Electronics (supp...@bel.co.in) and destroy all copies of this email? This is a public mailing list with public archive. How can this message have any other effect than making the sender and his company look ridiculous ?
Postfix tls error
Hi, I have enabled tls in 2 postfix servers(MTA1, MTA2). when i try to send mail from simple java client to server it is working fine. TLS negotiation happened properly. But when MTA1 try to send mail to other MTA, TLS is failing by giving following error. "certificate verification failed for [zz.zz.zz.zz]:25: untrusted issuer" Yes, I am using self signed certificates for both the servers. Even CA is self signed certificate. But I have placed the CA certificate at MTA1 server and specified the path in "smtp_tls_CAfile". But even after that i'm getting same error... How to solve the above error... And if MTA need to trust different CA certs, what is the way to solve the problem... I'm stuck at this point for a long time... Any help will be appreciated greatly... Thanking you Hyndavi Every 3000 Sheets of paper costs us a tree.. Save trees... Conserve Trees. Don't print this email or any Files unless you really need to Confidentiality Notice The information contained in this electronic message and any attachments to this message are intended for the exclusive use of the addressee(s) and may contain confidential or privileged information. If you are not the intended recipient, please notify the sender at Bharat Electronics or supp...@bel.co.in immediately and destroy all copies of this message and any attachments.